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A Digital Signature Method Based on Braid Groups 
Conjugacy and Verify Method thereof 

Technical Field 

The present relates to a digital signature scheme based on a gap between the conjugacy 
search problem (CSP) and the conjugacy determination problem (CDP) in the braid group and 
« a verifying method thereof (ECSS),p articularly to a method for verifying whether a file is 

( signed by a signatory with his private key by using his public key. 

Background of the Invention 

Currently,! he digital signature technique commonly used is RSA signature mechanism, 
and its security is established on the difficulty of laiige number factoring.H owever, with 
constant improvement of computer process power and sustained development of related 
researches, RSA has to continuously increase digits of modulus N to ensure the security, from 
5 12 bits to 1024 bits, further to 2048 bits. Because of the excess length of key bits, the 
operation for generating big prime number and exponential computation becomes more 
complex, therefore, the efficiency of RSA is not very high. If the hardware is employed to 
improve the efficiency,t he excess length of bits will result in more complexity and higher 
cost, and due to the unchangeability of hardware, the use life of hardware becomes shorter, 
which further increases the cost as a result. 

Since Ki Hyoung KO, Sang Jin Lee of Korea proposed a key exchange protocol and 
public encryption system based on the difficulty of braid groups conjugacy problem (K.H.Ko, 
SJ.Lee,J .KCheon, J.W.Han, J.S.Kangand C.S.Park,N ew Public-Key Crytosystem Using 
Braid Groups.Proc. of Crypto 2000.LNCS 1880,Springer-Verlag (2000) 166 - 753.), the braid 
public key cryptography system is widely researched. However,t here has been no good 
solution for its digital signature scheme. Up to 2003, Ki Hyoung KO,D 00 Ho Cho, the 
scholars of Korea, proposed and realized two signature schemes based on braid conjugacy 
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problem (Ki Hyoung Ko and Doo Ho Choi and Mi Sung Cho and Jang Won Lee New 
Signature Scheme Using Conjugacy Problem Cryptology ePrint Archive: Complete 
Contents 2003/ J 68): simple conjugacy signature scheme (SCSS) and conjugacy signature 
scheme (CSS). We will explain the two signature schemes of SCSS and CSS. 

Simple conjugacy signature scheme SCSS: 
Common parameter: braid group 5„. hash fonction /?: {0, 1} * -> B„ 

Key generation: public key: a conjugacy pair {x,x')^B„^B„ for considering CSP problem as 

a difficult problem, 

private key: a^Bn, meeting x'^a'^xa; 

Signature: for a given bit sequence message M, the signature of M sign(M)=a~^ya , in which, 

element >^=AfA9; 

Verily: the signature of message M sign(M) is legal when and only when: sign(M)'-'y 
and^ri ign(M)'^xy. 

However, since a hacker may get many pairs of , ci'^yfl ), it may result in blowing the 

gab of private key a, i.e.,*: -CSP problem.I n order to overcome the above problem, they 
proposed a CSS signature scheme. 

Conjugacy signature scheme CSS: 
Common parameter: braid group Bn. hash function /?: {0, 1} * B^ 

Key generation: public key: a conjugacy pair (jc,x) ^B„>^B„ for considering CSP problem as a 

difficult problem, 

private key: a G 5„,m eeting x ' = a'^xa ; 

Signature: for a given message M, selecting a random braid 6 e 5„ at random, calculating 

a=* ^^^y=h{M\\aX P=^ , y= b'^aya'^b ,t he signature of message M sign(M)= 
(a, P,Y). 

Verify: the signature of message M sign(M)- (a, p, y) is legal when and only when meeting 
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a-x, P'-y, ap-xy, ay-x'y. 

Due to the introduction of random braid b, CCS signature scheme overcomes the k-CSP 
problem well. But due to the increase of calculation and data,t he overall efficiency is 
decreased distinctly. 

Summary of the Invention 

In order to overcome the problem of excess consumption of computer calculation 
resource in generating big prime number and dividing hack of big number, and the problem of 
taking excess time to generate key and verify signature due to the increased calculation and 
data used for CSS to resolve the k-CSP problem in the SCSS, the object of the present is to 
provide a digital signature scheme based on braid groups conjugacy problem and a verifying 
method thereof, for reducing the calculation and data, and improving the efficiency of the 
whole signature scheme. 

In order to realize the above objects,t he present invention provides a digital signature 
scheme based on braid group conjugacy problem, in which parameters involved include a 
signatory S, a signature verifying party V,a message M needing signature; system parameters 
needed include n for the number of generators in the braid group,/?? for the number of 
generators in the left subgroup, / for the upper bound of the length of a braid, braid 
group B„ (I), left subgroup L 5„ (I) ofB„ (I), right subgroup RBn-i.m(l) ofB„ (/), one way hash 

function h mapping from bit sequence {0,1 }* to braid group 5„ (/); the signature scheme 

comprises the following steps of: 

Step 1 . the signatory S selecting three braids x 5„ (l),x' ^ B„ {t),a G B„ (0, and 

making them meet jc -d^xa^m oreover, with known x and x^ it being impossible to find a in 
calculation,a nd considering braid pair(jc \x) as a public key of braid a as a private key of S\ 
Step 2. the signatoiy S using hash function h for message M needing signature to get 

y^h(M)^BM 
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Step 3. generating a braid b ^RB„.t.m(l) at randoni,t hen signing the message M with 
own private key a and the generated random braid b to obtain Sign(M)=a'byb''a\ and 

Step 4. the signatory S outputting message Af and the signature of M Sign(M). 

in which, generating public key braid pair (x \x) and private key braid a of the signatory 
S in said step 1 comprises the following steps of: 

Step la. selecting the distance d between public key pairs of system parameter braid 
group; 

Step 1 b.r epresenting x as left canonial form x=A"ni7i2 ...7t/; 
Step Ic. selecting a braid b at random to belong to set 5^ (5 I) 

Step Id.ca Iculating x '^*,a=6; 

Step le. generating a bit at random, if l,ca Iculating x =decycling(x), a= ain\ otherwise, 
calculating X =cyclmg(x), a= ar^fKj); and 

Step 1 f judging whether x belongs to SSS(x) and whether l(x) S/, if all conditions are 
yes,o utputting(x, x ) as public key, a as private key; if either of them is not, performing step 
le. 

The process of using hash function h for obtaining >^=/?^A(? ^ B„ (I) in said step 2 

comprises the following steps of: 

Step 2a. selecting an ordinary hash fiinction H, with the length of its output H(M) being / 
[log(2,n!)J, then dividing H(Ad) into / sections ... \\Ri\n equal at one time; and 

Step 2b.c orresponding Ri to permutation braid Ai, then calculating h(A4) =AJ *A2.,M , 
the h(Ad) required. 

The present invention further provides a verifying method of the digital signature 
scheme based on braid group conjugacy problem, which comprises the following steps of: 

Step 1 . a signature verifying party ^obtaining a public key of signatory S after receiving 
a message A/ and the signature QfMSign(M) transmitted from a signatory S\ 

Step 2. calculating the message A/ by employing a system parameter hash fiinction A, to 
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ohtam y=h(M); 

Step 3. judging whether sign(M) and y are conjugate or not, if not,5 ign(M) being not a 
legal signature, and the verification being failed; if yes, performing step 4; and 

Step 4. calculating sign(M) x 'and xy by using the public key of S obtained,a nd judging 
whether they are conjugate or not, if not, then sign(M) being not a legal signature,t he 
verification being failed; if yes, sign(h4) being the legal signature of message M. 

In this method, the form for obtaining public key of the signatory S in step 1 is an 
out-band form or the form of receiving public key transmitted fi'om the signatory S\ Algorithm 
BCD A is employed in judging whether sign(M) and y are conjugate or not in step 3 and 
whether sign(M) x ' and xy are conjugate or not in step 4. 

Moreover, the present invention further provides a digital signature scheme including 
signatory and verifying party signatures based on braid group conjugacy problem and a 
verifying method thereof (ECSS), in which parameters involved include a signatory 5, a 
signature verifying party a message Af needing signature,a n integer n for the number of 
generators in the braid group, an integer m for the number of generators in the left subgroup, 

an integer / for the upper bound of the length of a braid, braid group 5„ (l)^ a left subgroup 
L (I) ofB„ (I), a right subgroup RBn-i.m(l) ofB„ (/), an one way hash function h mapping 
from bit sequence {0,1 }* to braid groups 5„ (/); said signature and its verifying method 
comprises the following steps of: 

Step 1 . the signatoiy S selecting three braids \^LB^(l),x' B B„ {l),a e B„ (/), and 

making them meet jc '=a^xa,m oreover, with known x and x,' it being impossible to find a in 
calculation,a nd considering braid pair(x \x) as a public key of 5, braid a as a private key of S\ 
Step 2. signatory S using hash function h for the message M needing signature to get 

y=h(M)^BM 

Step 3. generating a braid b ^RBn-i-mfl) at random,t hen signing the message A/ with 
own private key a and the generated random braid b to obtain Sign(M)=a^byb'^a\ 
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Step 4. the signatoiy S transmitting message Af and the signature of M Sign(M) to the 
signature verifying party V\ 

Step 5. the signature verifying party (^obtaining the public key of S after receiving the 
message Af and signature ofMSign(M) transmitted from signatory S\ 

Step 6. calculating message Af by employing system parameter hash function A, to obtain 

Step 7. judging whether sign(M) and y are conjugate or not, if not,j ign(M) being not a 
legal signature, the verification being failed; if yes,p erforming step 8; and 

Step 8. calculating sign(M) jc'and xy by using the public key of obtained S, and judging 
whether they are conjugate or not, if not, sign(M) being not a legal signature, the verification 
being failed; if yes,5 ign(M) being the legal signature of message M. 

As recited in the above solution,t he digital signature and the verifying method provided 
by the present invention have the following advantages: 

Because of adding random braid 6, for each message Af, the conjugacy element of 
conjugacy pair {sign(M), h(M)) is b'^a\ because 6 is a random braid, and b selected for each 
signature is difierent, the conjugacy element for each time is also diflFerent,a verting the 
information leakage of private a, and avoiding the k-CSP problem for only using private a as 
the conjugacy element oi{sign(M), h(M)) in SCSS signature scheme of the prior art. The 
signature scheme ECSS provided by the present invention makes use of the exchangeability 
of the left subgroup and the right subgroup of the braid groups, and adds a random braid 
directly, for protecting the secret information of key and improving the security of signature 
algorithm. CSS protects the secret information of key by introducing two assistant braids. The 
biggest advantage of ECSS compared to CSS is in that it reduces the number of braids 
involved and the number for conjugacy decision without reducing the security, and, therefore, 
improves the operation eflRciency of signature. The differences of these three signature 
schemes are listed in table 1 : 
Table 1 
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Signature 
scheme 


Calculation number of 
signature 


Verily number of signature 


Data 

quantity of 
signature 


Security 


SCSS 


conjugacy calculation: 
1 time 

hash calculation: 
Itime 


conjugacy decision:2times 

hash calculation: Itime 

braid group operation:2 
times 


1 braid 


Having k-CSP 
problem,! ow 
sccuniy, oascu on 
MCSP problem 


CSS 


Conjugacy calculation: 
4 times 

hash calculation: 
1 time 


conjugacy decision:4 times 

hash calculation: Itime 

braid group operation :4 
times 


3 braid s 


Introducing 
random key 

factor,r esolving 
the k'CSP 
problem, based on 
MTSP problem 


Scheme 
of the 
present 
invention 
(ECSS) 


conjugacy calculating: 
2 times 

hash calculating: 
I time 


conjugacy decison:2 times 

hash calculation: 1 time 

braid group operation:2 
times 


1 braid 


Introducing 
random 

factor,r esolving 
the k-CSP 
problem,b ased on 
MCSP problem 



The present invention uses mathematics basis with a completely diflFerent scheme 
compared to conventional RSA signature, and does not need generating big prime number, 
therefore greatly saves the digits of key and digits of signature, economizes the calculation 
resource, and improves the eflSciency of signature and verification. The CSS signature 
scheme provided in prior art gets data shown in table 2 on the processor of Pentium III 
866MHz (in which, default setup parameter 1=3, d=4, 2^^ < p < 2^^, r=3): 



Table 2 



n 


Number of 
public key bit 


Number of 
signature 


Time for 
generating key 


Time of 
signature 


Time of 
verification 


Strength of 
security 


20 


370 


1653 


17.82 ms 


18.68ms 


30.87 ms 


2220 
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24 


478 


2138 


21.70 ms 


22.79ms 


41.75 ms 


2356 


28 


591 


2648 


24.42 ms 


25.77ms 


59.59 ms 


2S30 



Since the time of signature and verification of the present scheme will be greatly reduced 
compared to CSS signature,i t is more eflSciency than RSA. 

Brief Description of the Drawings 

Fig.l is the flowchart of a digital signature scheme based on braid group conjugacy 
problem of the present invention. 

Fig.2 is the flowchart for generating key in a digital signature scheme based on braid 
group conjugacy problem of the present invention; 

Fig.3 is the process flowchart of one-direction hash function A in a digital signature 
scheme of the present invention; 

Fig.4 is the flowchart of verifying digital signature based on braid group conjugacy 
problem of the present invention; 

Fig.5 is the process flowchart of determination algorithm BCDA of CDP problem of the 
present invention; 

Fig.6 is the flowchart of digital signatures of signatoiy and verifying party and the 
verifying method based on braid group conjugacy problem of the present invention. 

Detailed Description of Embodiments 

Because the present invention involves a series of mathematic principles, its mathematic 
background will be explained first in the following: 

Braid group B„{n is the parameter of group) is an infinite group with finite representation, 
generated by Artin generators g\ , 02 , On-i, which meet the following equation: 
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Oiaj=OjOi (|/-7l> 1,1 </, j<n) (1) 
aiajai=ajai Oj (| / -j\ > 1 , 1 </, j < n) (2) 

The group generated by m generators 01,02 Om-i of left is called left subgroup of 5„, 

labeled as 1 5„ ; and the subgroup generated by n-l-m generators Gm^uOm^i On^i of right 

is called right subgroup of 5„,1 abeled as RBn-hm-l t is obviously known from (1 ) that selecting 
(x,y) e LBm >^RB„.i.m arbitrarily, there is always xy==yx. As for a braid b, if it only contains 

01,02 On-i instead of ar\o2'\...,an.i'\ b is called a positive element. As for positive 

element fe, a, if there is a positive element or trivial element c that makes b=ac, then a is 
called subword of b. The braid A=(ai02...an-i) (ai02...an.2)...(aia2Xcyi) is called fiindamental 
braid of B„. A meets /lb =r(b)/l, where T(ai)=a„.i and the subword of A is called permutation 
braid. The set of all permutation braids is corresponded one to one with Sn of permutations on 
{0,1 ,b n-1 } . Therefore, the sub-word A can be represented by a permutation n: {0,1 , . . ., n-1 } 

{0,1 , . . . ,n -1 }. Any one of braid 6 has a unique left canonial representation form: b = 
A"7ii7t2 ...71/, in which, m is a permutation braid. Several lengths of b are defined as: inffb) = 
«, sup(b) = u+l,l(b) =/. 

In a braid group 5„, if for two braids x,y ^B„, there is a braid a ^B„ that makes y=a'xay 
then braids jc, y are conjugate,w hich is denoted as x -y^d^ nd braid a is called conjugator of 
conjugacy pair(jc,;/), obviously, "-"indicates an equivalent relationship. The basic conjugacy 
problems of braid group include conjugacy decision problem CDP and conjugacy search 
problem CSP, The called CDP means: for an arbitrarily given braid pair {x,y)^Bn^Bn, 
judging whether^: --y is right. Amethod is given in the existing signature scheme based on 
braid group conjugacy problem,w hich can solve the CDP problem with any high probability 
in multinomial time. The called CSP problem means: for a given conjugacy 
^?L\r{x,y)^Bn^Bn{x - j^), finding a braid a ^Bn,v/ hich makes y=d^xa. For braid group, there 
is no efficient arithmetic which can solve the CSP problem in multinomial time currently, 
therefore,for a conjugacy pa\r{x,y)^B„^Bn selected randomly, their CSP problem will be a 
difficult problem with high probability. While the security of the signature scheme proposed 
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in this description is established on the difficulty of MCSP problem (matching conjugacy 
search problem), which is proved to have a same difficulty with CSP problem. The called 

MCSP problem is described in the following: 

known: a conjugacy pair {x,x)^Bn^B„ ofB„\ a braid>' 
problem: finding ay 'BBn meeting:;^ -^y ' xy --'x y ' 

Next, the method described in the appended drawings of the present invention is 
illustrated in details: 

The common parameter required: braid group 5„,1 eft braid group LBm, right braid group 

RBn-i-m, hash lunction h, in which the generators of Bn are ai02 On-i, the left braid group 

LBm is the subgroup of Bn generated by generator o\ ,02 Om-i, and the right braid group 

RBn^i-m is the subgroup of Bn generated by am+i,Om+2 On-i. 

Its public key is a conjugacy pair(jc,x)EI5ff,x5„ which considers CSP problem as a 
difficult problem, and its private key is a E5„,meetingx=i7''xa; 

The flowchart for signatory signing message A/ is shown in Fig.l . For a given message 
M, first calculate and ohXdAn y-h(M) by using hash fiinction /?, select a secret random braid 
b ^RBn^i.m randomly by using arithmetic PBG,si nd calculate byb'^ and the signature of 
message M sign(M)^d%yb'^ a, then, signatory S outputs Af and its signature Sign(M) . 

However, for a hacker, if he wants to forge a signature of message M, what he can know 
is only the public key(x,x ) mdy-h(M), if he wants the forged signature sign(M) to meet 
sign(M) -^y. xsign(M) - xy, it equals to solve the MCSP problem obviously, therefore, it 
would not be successful.H owever, for message signature pairO^/, b'^ayio'^b) that can be 
analyzed by intercepting and capturing,b ecause of the adding of the random braid b, they can 
avoid the k-CSP problem. The called k-CSP problem is described in the following: 

known: /: pairs of conjugacy pair(x/, xf\ ,(xfc Xk')^Bn>^Bn and Xi -a ^Xia(i=L.. k); 

problem: finding b ^B„, which makes xi-b'^Xib(i=l,2 k)^ 

in which, in order to generate key safely, first define some concepts, for a braid x€ Bn(l), 
its super summit set is defined as: iS'5'iS(5c^=/);e Bn(l)\y--x, inf(y)= Maxmf(x), sup(y)= 
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Minsup(x)}. The security strength of overall signature arithmetic is 1 5SS(i>)|,a bout 




/r(n-l)/2 



Ifj^ -x, then define the distance between x and yds d(x,y)=min{l(b)\y= b ^ab }, then 

define s{x, d)^{ye SSS{x) \ d(x, y)<d}. Select x g s(x,d), then the CSP problem of conjugacy 

pair(x ,x) becomes a difficult problem, and can be public key. Specifically, the flowchart of 
key generation is shown in fig.2. The following is the detailed description of the process for 
generating key,w herein by using RSSBG(x,d)=(x\a), x es(x,d) is generated randomly and 

X = a'^xa , therefore, giving the safe public key(x ,x) and private key a: 
Step 1 1 . determing the distance d between braid group public key pair; 
Step 12.r epresenting braid x as left canonical form x=A"7ti7t2 ...tc/; 

Step 13.S electing a braid b randomly which belongs to the set 5„ (5 1); 
Step 14.ca Iculatingx =b~^xb,a =b; 

Step 15.g enetating a bit randomly, if 1, then calcuiaXmg x'=decyclmg(x), a= am; 
otherwise, calculating jc'=cyc//>?g^x), a= a'^(Ki)\ and 

Step 16.j udging whether x belongs to the set SSS(x) and whether /(x )<d is yes, if all the 
results being yes,t hen outputting(x, x ) as public key, a as private key; if either of them is no, 
then performing step 15. 

Calculating and obtaining >'=/i('A/? by using hash Sanction /i,w ith its flowchart shown in 
Fig.3: 

For a hash fimction h mapping fi-om bit sequence {0,1 } * to braid group jB„^^,f irst 
compress {0,1 } * to obtain a bit sequence {0,1 with fixed length by using an ordinary hash 
fiinction, wherein N ^l[log2 "'j. Then divide {0,1 }^ into / sections ri||r2|| ... ||n, the length of 
each section is [log2 "'J. Because the number of permutation braid of Bn(l) is n!, a one to one 
map can be established between the permutation braid and the integer set [0,n!-l ],a nd 
transform rk into a certain integer in [0,n!-l], which in turn is ftirther transformed into a 
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permutation braid Pk , at last, obtain /j(^= • 

The verilying flowchart of the present invention for a digital signature scheme based on 
braid group conjugacy problem is shown in Fig.4, including the following steps of: 

Step 20.t he signature verifying party ^obtaining the public key S after receiving the 
message M and the signature of M Sign(M) transmitted by signatory S\ 

Step 21. calculating message M by using system parameter hash function /i,o btaining 
y=h(M)\ 

Step 22.j udging whether sign(M) and 3; are conjugate, if not, sign(M) is not a legal 
signature,t he verification is failed; ifyes,p erforming step 23; and 

Step 23. ca Iculating sign(M)x 'and xy by using the obtained public key of S, and judging 
whether they are conjugate, if not, then sign(M) is not a legal signature, verification is failed; 
if yes,t hen sign(M) is the legal signature of message M 

In the method, the form of obtaining public key of 5 in step 20 is an out-band form, or it 
is transmitted to verifying part Kby signatory S directly. 

The arithmetic of BCDA is employed in judging whether sign(M) and y are conjugate in 
step 22 and judging whether j/gwf'A^) and xy are conjugate in step 23..This arithmetic of 
BCDA is shown in Fig. 5: 

For any non-abelian group,t hey all have a function from group to ring, which is 
invariant under conjugacy,a nd is called character. Defining a function fi"om Bn(t) to Laurent 
multinomial ring Zft,f^J:g->det(0(g)'I), wherein gs Bn(l),0{g) is the Burau representation 
ofg, / is unity matiix, detQ is the determinant of the matrix,! t is obvious that the function is 
the character of Bn(l). det(0(g)-I) is called Alexander multinomial of braid g,ca \\Q(iPg(t). 
Obviously, for age Bn(l),\ he degree of its Alexander multinomial Pg(t)\ d ( Pg(t)) < 
l(n-l)n/2. Judging whether the two braids a,b € Bn(l) are conjugate, and perform the 
following Alexander test: determine system parameter prime number p and positive integer r, 
select r different value ti,t2 ... U on the finite field Z^Z fi-eely, if for all the ti(i^l,2 ... r)^ there 
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is always Pa(tO=Pb(tO, then output 1 .otherwise output O.B ecause 5 ( Pa(t)- Pb(t)) ^ 
l(n-l)n/2, the equation Pa(0'Pb(0=0 has only l(n-l)n/2 roots. So the probability Pr/Po^/^^t 



and r, this probability can be decreased freely. The complexity of Alexander test calculation is 



Maxinf'MinsupXtsX. Forx^Bnfl ) of braid .define Maxmf(x)=Max{inf(y)\y--x,y^B„fl 
)}yMi^sup(x)=Mm{sup(y)\y'-xy ^B„(l )}. The called Maxinf-Minsup test is, for braid 
a,b ^B„(l ^, judgeing whether Maxmf(a)= Maxinf(b), Minsup(a) =Minsup(b) is yes, if yes, 
then output 1, if no, then output 0, Next, the arithmetic for calculating Maxinf(x) and 
Minsup(x)\s described. Firstly, define two operations, if jc =A"7ii7C2 -..tci , 
cycling(x)=(x'(ni))'^x't(Ki), decyclmg(x) =ni^xm. Perform cycling(decyclmg) operation for x 
circularly,u ntil the value of /«/begins to increase {sup value begins to reduce), then consider 
the currently obtained braid as new braid, repeat the circular operation,a nd the count of 
circular times is reset to 1 ; if the circular times are counted until m=n(n-l)/2, the inf value 
does not increase any morc{sup value does not reduce any more), then the inf value of current 
braid is Maxinf(x)(Minsup(x). As for the theory analysis of arithmetic, please refer to the 
following quotations:./. S.B irman, K. H.Koand S. J. Lee, The in.mum, supremum and 
geodesic length of a braid conjugacy class, to appear in Advances in Mathematics. The 
arithmetic complexity of the arithmetic is 0( fnlog n). 

If braids a, b pass the Alexander test and Maxinf-Minsup test, then determine that a - 6 is 
right, with one exception of a b'\ However, for a and b selected randomly, this exception is 
nearly impossible, and for hacker,i t is also impossible to use such excluded situation, as for 
its analysis,p lease refer to the following quotations: K, KKo, S. J. Lee, J. H. Cheon, J. W. 
Han, J. S.Kang and C. S, Park,New Public-Key Cry tosys tern Using Braid Groups, Proc.o f 
Crypto 2000, LNCS 1880,8 pringer-Verlag (2000) 166-183, 

For a legal signature sign(M), because sign{Ad)=a'^byb''a=fl>'^a)'^yb''a,s ign(M) ---y is 



Ph(t)\}[ie output of Alexander test is 77 < 



l{n-\)n ^ 
2p ) 



, and obviously,w ith the increase of p 



(K rn'). 
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right; while for xsign(A^'=a'xa d'byb''a= d^xbyb ^a,}) ecause x ^LBmy b SRBn-hm, , xb^bx, 
therefore x sign(M)=d'xa d^byb'^a= d'xbyb'^a^d' bx yb''a=(b''a)'' (x y)(b'^a), and x 
sign(M) -xv,t herefore, a legal signature can always pass the verification at last. 

The present invention also provides a digital signature scheme including signatory and 
verifying party signatures and a verification thereof, see Fig.6. As the digital signature scheme 
and its verifying method of the present based on braid conjugacy problem,t he signatoiy uses 
hash function h for message M needing signature, obtaining ;;=/?f2Wp ^ B„ (I), and generating 

key, generating b ^RBn^i.m(l) randomly, the signatory transmits the message M and signature 
of M Sign(M) to the verifying party after obtaining Sign(M)=d^byb'^a by signing message M 
with its own private a and the generated braid i,t he verifying party ohlmns y=h(M) and the 
public key verification signature message Mby calculating message Mby hash fiinction A, the 
detailed process is as follows: 

Step 1 . the signature S selecting three braids jc ^LBm(l), x' ^ B„fl), B„ (I), making 

them meeting x -a 'xa. and with the known x and x' , it is impossible to find a on calculation, 
and considering braid pair (x \x) as public key of S, and braid a as private key of S\ 

Step 2. signatory S obtaining >'=/2^A() ^ 5„ (I) by using hash function h for message M 
needing signature; 

Step 3. generating a braid b ^RBn-i-mO) randomly, then ohiainingSign(M)^d^byb'^a by 
signing the message M with its own private key a and the generated random braid b; 

Step 4. the signatory S transmitting message M and its signature Sign(M) to the signature 
verifying party V\ 

Step 5. the signature verifying party Kobtaining the public key of 5 after receiving the 
message Af and its signature Sign(M) transmitted by signatory S\ 

Step 6. calculating message M by using system parameter hash function A, obtaining 

y-h(M)', 

Step 7. judging whether sign(M) and y are conjugate, if not, sign(M) is not a legal 
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signature,! he verification is foiled; if yes,p erfonning step 8; and 

Step 8. calculating sign(M) x ' and xy by using the obtained public key of S,?i nd 

judging whether they are conjugate,i f not, sign(M) is not a legal signature,t he verification is 

failed; if yes, sign(M) is the legal signature of message M; 

Because the braid group is infinite group,i n order to realize by computer,s ystem 

parameter has to be set. First set system parameters w, /, d (preferred 1=3 ,d =4).M ake Bn(l ) 

= {b ^B„\0< inf(bl sup(b) <l }, then |S„(7 )| < (nlf is finite. For the same reason,Z5 m(l 

) - {b eLBm\ 0 < mf(bX sup(b) < I },R Bn-i-mfl ) - {b ^RBn-i-m I 0 < inf(b), sup(b) < 
I }. For a braid, it is denoted by Burau representation which currently is acknowledged to 
have the fastest calculation speed on computer, that is,d enoted by a (n-1) xfri-l) order matrix 
on the Laurent multinomial ring Zftf'] , the specified permutation rule is as follows: 
Perform the following permutation: 



-t 

1 1 



02 = 



1 / 

-t 

1 1 



1 t 
1 1 



O 



O 

1 t 



the calculation complexity for a braid belonging to Bnfl ) 



transforming to a Burau representation is 0(ln), With the above representation, the group 
operation and converse operation are transformed to the multiplication of matrix and converse 
operation, all of which can be solved by efficient mathematics tool,t heir calculation 
complexity is 0(ln), 

The method of the present invention can be realized by software. In order to improve 
speed, the arithmetic BCDA can also be realized by hardware,i n which, the determined 
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system parameter discloses: braid group parameters nj,d,p (preferred n between 20 - 30, 
1=3, d=4, p between 2^* - 2" ), and the size of the left braid group m (preferred n-/n is about 
4); determining the hash function h used in hash message; the process of signatory S is as 
following: 

Key generation: 

1 . generating a braid jc e LB„ by using arithmetic PBG at random; 

2. obtaining public key (x\x) and private a by using arithmetic RSSBG(x,d), 
The signature process: 

1. applying hash function h to message Af needing signature, ohtmning y=h(M)\ 

2. generating a braid 6 randomly, then calculating ;and 

3. calculating j/gw(2l<)=^ ^ by using private key. 
The process of verifying party V: 

1 . applying hash function h to the message A/ needing its signature verified, obtaining 
y=h(Ad); 

2. judging v/hcthtr sign (M)--y is right by using arithmetic BCDA ,i f not, the verification 
is failed, ending; if yes, performing step 3; and 

3. calculating xWgw^3l<) and xy; judging yNhQthQV x'sign(M)-xy is right by using 
arithmetic BCDA, if yes,t he verification is passed, ending, otherwise,t he verification is failed, 
ending. 

At last, it should be noted that the above embodiment is only to illustrate the technical 
scheme of the present invention without any limitation. Although the present invention is 
described in detail with reference to the preferred embodiment,! he ordinary skilled person in 
the art should understand that the scheme of the present invention can be modified or 
substituted.w ithout departing from the spirit and scope of the technical scheme of the present 
invention, all of which should be covered in the following claims. 
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